CVE-2026-5442
Last modified
CVE-2026-5442 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. A heap buffer overflow vulnerability exists in the DICOM image decoder. Dimension fields are encoded using Value Representation (VR) Unsigned Long (UL), instead of the expected VR Unsigned Short (US), which allows extremely large dimensions to be processed. EPSS estimates a 0.60% chance of exploitation in the next 30 days.
Description
A heap buffer overflow vulnerability exists in the DICOM image decoder. Dimension fields are encoded using Value Representation (VR) Unsigned Long (UL), instead of the expected VR Unsigned Short (US), which allows extremely large dimensions to be processed. This causes an integer overflow during frame size calculation and results in out-of-bounds memory access during image decoding.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Orthanc-Server | Orthanc | < 1.12.11 |
References
- https://kb.cert.org/vuls/id/536588Third Party Advisory, VDB Entry
- https://www.machinespirits.de/Not Applicable
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2026-5442?
How severe is CVE-2026-5442?
How do I fix CVE-2026-5442?
Are you affected by CVE-2026-5442?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST